There is a revolution coming; in fact it has arrived. The revolution is favourable to persons, to individuals.

A person is, in principle, entitled to control of her data. If government or commercial interests wish to use that data they must comply with the General Data Protection Regulation (GDPR).

The GDPR is current law and comes into effect on 25th May 2018. That date represents a cliff-edge. That edge has been made more severe due to Brexit.

Brexit, as the UK has expressed it to date, is in principle a wish to evade EU laws (including the GDPR).

However, every UK-based entity/undertaking, the UK itself, will be exposed to the GDPR, subject to its provisions and obliged to comply with those provisions while it is processing the data of EU citizens.

Contemporaneous with that, every Irish entity, the Irish state itself, must ensure that any data sent to the UK from Ireland, the process of sending it, is in compliance with the GDPR. That may result in the necessity of stopping data flows to the UK, in order to avoid triggering a breach of the GDPR in Ireland.

Breach of the GDPR will expose entities to considerable penalties in the form of fines. Undertakings are exposed to the possibility of being fined up to €20 million or 4% of annual global turnover, whichever is the higher.

Undertakings in Ireland, holding data, may not hold that data unless the data was obtained fairly. The concept of fairness carries the obligation to give detailed information about how data is processed, the grounds being used to justify processing data, (just holding data is “processing”), what rights individuals have to access, delete and “port” data, and object to processing.